Overview of Securing Web Services in Fusion Middleware 11g (SOA / ADF / WebCenter)
This post covers basic concepts around securing web services in Fusion Middleware 11g. If you are administrator or developer, working on Fusion Middleware (and developing/managing web services) then you may find this post useful (This post covers conceptual points around web services security. For detailed steps and advanced topics stay tuned to this blog)
1) WebServices in Fusion Middleware (FMW) 11g are classified in two categories
a) WebLogic Web Service – Java EE webservices
b) SOA, ADF and WebCenter Services
2) Depending on kind of Webservices (mentioned above), webservices in FMW are protected by
a) Oracle Web Services Manager (OWSM) Policy– for SOA, ADF and WebCenter Services
b) Oracle WebLogic Web Service Policy– for WebLogic Web Services
3) Depending on kind of Webservices (mentioned above), administrators can protect webservices using
a) Fusion Middleware Control (/em) – “SOA, ADF and WebCenter Services” or “WebLogic Web Service”
b) WebLogic Scripting Tool (WLST) – “SOA, ADF and WebCenter Services”
c) Oracle WebLogic Console (/console) – “WebLogic Web Service”
4) Security in Web Services can be implemented at
a) Transport Level – by implementing SSL to access Web Service, to protect communication channel between Web Service Consumer and Provider
b) Message Level or Application Level – by implementing XML Encryption, XML signature. To know more read WS-Security which defines how to attach XML signature or XML Encryption headers.
5.Tool used in Oracle Fusion Middleware (FMW) to protect Web Services around FMW components (SOA Suite, WebCenter Suite and Application Development Framework (ADF)) is Oracle Web Services Manager (OWSM)
To know more about OWSM in 10g click here or for OWSM in 11g click here
6. Role of OWSM (Oracle Web Services Manager)
a) at Client Side – OWSM intercepts SOAP message request to service and
i) Injects relevant tokens(username, group and other information) – depending on policy defined to protect webservice
ii) Signs Encrypt message– – depending on policy defined to protect webservice
b) at Server side – OWSM intercepts SOAP message request to service and
i) Extracts relevant tokens
ii) Verifies client’s credentialsagainst Identity Management Solution (OID, Oracle Access Manager) or WebLogic’s default LDAP server.
7. OWSM Architecture includes – Enterprise Manager Fusion Middleware Control, OWSM Policy Manager, OWSM Agent, Policy Interceptors, Metadata Store and Database
More on OWSM in 11g and changes from 10g OWSM to 11g OWSM in future posts !!
8. For authentication and authorization – Policy Enforcement Point (PEP – Part of OWSM) leverages OPSS (Orale Platform Security Services) Login Moduleand WebLogic Server Security Authenticator.
More on OPSS coming soon !!!
9. Policy Assertions– is smallest unit of policy that performs specific action for request and response .
10. Policy – consists of one or more policy assertions. Policy describe capabilities and requirement of web service like how a message must be secured, whether and how a message must be delivered reliably etc..
11. Policy in Oracle Fusion Middleware 11g could be of following types
i) WS-Reliable Messaging – Guaranteed delivery of SOAP message, and can maintain order of sequence of messages more here
ii) Management – Log request, response and fault to a message log
iii) WS-Addressing – Policies that verify that SOAP messages include WS-Addressing headers in conformance with the WS-Addressing specification here
iv) Security– security policy that implements WS-Security 1.0 and 1.1 . These type of policy enfoces message protection
v) Message Transmission Optimization Mechanism (MTOM) – Binary content (like images) can be sent as MIME attachment, which reduces transmission size . MTOM policy ensures that message is converted to MIME attachment before it is sent to Web Service or Client.
.
References
For more information on below topics stay tuned to this blog
– Default Policy (to protect web services in Oracle Fusion Middleware)
– How to create policy and attach to Web Service
– How to integrate OWSM (in 11g Fusion Middleware) with Oracle Internet Directory (LDAP server) for authentication